Google Awards Record $112,500 Bounty for Android Exploit Chain

Prolific bug hunter Guang Gong has earned the highest-ever payout for a vulnerability in the history of Google’s Android Security Rewards program, which began in 2015.

He earned a combined $112,500 for the disclosure of an Android exploit chain impacting Google’s Pixel handset that could allow an attacker to inject arbitrary code via a malicious URL accessed via the phone’s Chrome browser.

Gong, a researcher with Qihoo 360’s Alpha Team, earned $105,000 via Google’s Android Security Rewards program and a bonus $7,500 through the Chrome Rewards program. Google said the issues were patched as part of its December 2017 monthly security update.

The exploit chain included CVE-2017-5116 and CVE-2017-14904, both rated as “high” severity bugs by the Common Vulnerability Scoring System.

The first vulnerability (CVE-2017-5116) is a V8 engine type confusion bug that allows “a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML,” according to the MITRE description. The second flaw (CVE-2017-14904) is “a bug in Android’s libgralloc module that is used to escape from Chrome’s sandbox,” according to a description in an Android Developers Blog.

“Together, this exploit chain can be used to inject arbitrary code into system_server by accessing a malicious URL in Chrome,” Google wrote.

For years Gong, and Alpha Team, have been successful bug hunters discovering copious vulnerabilities in the Android ecosystem. At the 2016 PwnFest hacker contest Gong was awarded $120,000 in prize money by event sponsors for exploiting a zero-day vulnerability in Google’s Pixel phone in less than 60 seconds.

The largest-ever payout by the Android Security Rewards program comes on the heels of a decision by Google to increase the maximum bounty payouts for kernel exploits from $30,000 to $150,000 remote kernel exploit and $50,000 to $200,000 for a remote exploit chain or exploit leading to TrustZone or Verified Boot compromise.